Re: semaphore usage "port based"? - Mailing list pgsql-hackers
| From | Bruce Momjian |
|---|---|
| Subject | Re: semaphore usage "port based"? |
| Date | |
| Msg-id | 200604111942.k3BJgw604841@candle.pha.pa.us Whole thread Raw |
| In response to | Re: semaphore usage "port based"? (Stephen Frost <sfrost@snowman.net>) |
| Responses |
Re: semaphore usage "port based"?
(Stephen Frost <sfrost@snowman.net>)
|
| List | pgsql-hackers |
Stephen Frost wrote:
-- Start of PGP signed section.
> * Bruce Momjian (pgman@candle.pha.pa.us) wrote:
> > <para>
> > + If running in FreeBSD jails by enabling <application>sysconf</>'s
> > + <literal>security.jail.sysvipc_allowed</>, <application>postmaster</>s
> > + running in different jails should be run by different operating system
> > + users. This improves security because it prevents one jail from
> > + interfering with shared memory or semaphores in another, and it
> > + allows the PostgreSQL IPC cleanup code to function properly.
> > + (In FreeBSD 6.0 and later the IPC cleanup code doesn't properly detect
> > + processes in other jails, preventing the running of postmasters on the
> > + same port in different jails.)
> > + </para>
>
> This looks good, my only comment would be that we don't want people to
> believe that using different users somehow makes the sysv spaces
> seperate between the jails. It doesn't. Even when using different
> uids, a user who gets root in one jail would be able to mess with the
> Postgres instance in the other jail through IPC.
>
> Perhaps change:
>
> "This improves security because it prevents one jail from
> interfering with shared memory or semaphores in another"
>
> to:
>
> "This improves security because it prevents the postgres user in one
> jail from interfering with shared memory or semaphores owned by a
> different user in another jail (with BSD jails, root, or the same
> UID, in any jail can see and interfere with the shared memory and
> semaphores in any other jail of the same UID, or all if root)"
>
> That's still not great but I think it's a little better...
I updated the wording to say 'non-root users':
If running in FreeBSD jails by enabling <application>sysconf</>'s
<literal>security.jail.sysvipc_allowed</>,<application>postmaster</>s running in different jails should be run by
differentoperating system users. This improves security because it prevents non-root users from
interferingwith shared memory or semaphores in a different jail, and it allows the PostgreSQL IPC cleanup code to
functionproperly. (In FreeBSD 6.0 and later the IPC cleanup code doesn't properly detect processes in other
jails,preventing the running of postmasters on the same port in different jails.)
-- Bruce Momjian http://candle.pha.pa.us EnterpriseDB http://www.enterprisedb.com
+ If your life is a hard drive, Christ can be your backup. +
pgsql-hackers by date: